Efficient network security enables successful digital multimedia transmissions. Network authentication protocol designed to provide authentication for client/server applications by using secret-key cryptography exists in today's technology. Used with a communications protocol, network authentication protocols provide secure delivery of data between two parties.
Secure socket layer (SSL) is the leading security protocol on the Internet. SSL is widely used to validate the identity of a Web site and to provide authentication and encryption in order to send sensitive data such as credit card and other personal data to a vendor. Successful authentication proves the identity of the user or client machine attempting to log on. The authenticated user is granted access to specific resources based on predefined policies and the permission level assigned to the user or user group.
The process of authenticating a user involves verifying the integrity of a transmitted message between two parties. When users log onto a network, their identities must be verified and an authentication method is used to prove the identity of each specific user. When a user logs on, the network access server (NAS), wireless access point or authentication server creates a “challenge,” which is typically a random number sent to the client machine.
An authentication token is a security device provided to authorize users who keep them in their possession. To log onto the network, the security “card” or “token” may be read directly like a credit card, or it may display a changing number that is typed in as a password. The latter has also been implemented entirely in software.
Challenge/response systems may also work with an authentication token, which is a smart card or credit-card sized card that users have in their possession. When users log on, they respond to the challenge by either inserting their smart card into a reader or typing in the password displayed on the card's readout. In this example, either the network access server or the authentication server generates a random number and sends it to the client as the challenge. The client uses a hash algorithm to combine the challenge and password and send the result back. The originating component performs the same hash step and compares it to the client's results. If they match, the system knows the client has the correct password.
Another widely used form of network security is cryptography. Cryptography is the creation, distribution and maintenance of a secret key. Cryptography determines how secret keys are generated and made available to both parties. A secret key is a binary number that is typically from 40 to 256 bits in length. The greater the number of bits in the key (cipher strength), the more possible key combinations and the longer it would take to break the code. Data is encrypted by combining the bits in the key mathematically with the data bits. At the receiving end, the key is used to unlock the code and restore the original data. Public key systems are widely used for exchanges. If session keys are used, key management is responsible for generating them and determining when they should be renewed.
Passwords, digital signatures, and smart cards can also be used to prove the identity of the client to the network. The client software uses its password or a secret key to encrypt the identity via an encryption algorithm or a one-way hash function and sends the result back to the network. The authentication system also performs the same cryptographic process on the challenge and compares its result to the response from the client. If they match, the authentication system has verified that the user has the correct password. While passwords are widely used to identify a user, they only verify that a user knows the password. Digital signatures guarantee that information has not been modified. The two major applications of digital signatures are for setting up a secure connection to a Web site and verifying the integrity of files transmitted. Smart cards function similarly to digital signatures. Smart cards, however, verify that users have a physical token in their possession.
Kerberos is an access control system designed to operate in both small companies and large enterprises with multiple domains and authentication servers. The Kerberos concept uses a “master ticket” obtained at logon, which is used to obtain additional “service tickets” when a particular resource is required. When users log on to a Kerberos system, their password is encrypted and sent to the authentication server in the Key Distribution Center (KDC). If successfully authenticated, the KDC creates a master ticket that is sent back to the user's machine. Each time the user wants access to a service, the master ticket is presented to the KDC in order to obtain a service ticket for that service. The master-service ticket method keeps the password more secure by sending it only once at logon. From then on, service tickets are used, which function like session keys.
In a typical multimedia system, a server responds to connection requests made by clients across a data network. Each client is subject to conventional access control to authorize reception of multimedia information across the same connection. The system can authorize clients, but is bandwidth intensive. Therefore, there is a need to streamline the authorization process in multimedia systems responding to client requests.
In a typical multimedia streaming system, a streaming server provides multicast data streams over multicast channels. A user system requests and receives an authorization code from an authorization server to receive the multicast data stream, and provides the authorization code to a streaming server. The streaming server, coupled to both an authorization server and a user system, sends the multicast data stream information to the user system upon validation of the authorization code.
To reduce the bandwidth needs of a streaming system, some streaming servers respond to stream-oriented connection requests made across the network by streaming clients differently. Instead of receiving a copy of the multimedia stream, the clients receive information detailing a multicast group where the stream data can be found. The clients then receive multimedia streams by subscribing to the specified multicast group. Once clients have subscribed to a multicast group, they are no longer subject to access control. The system is less secure and security credentials can be shared among multiple subscribers, but it is less bandwidth intensive in the event the system serves a relatively large number of clients who are viewing relatively few multimedia streams.
Large businesses with streaming systems deployed across a wide and heterogeneous network have strong fiscal incentive to utilize the more bandwidth efficient multicast system. However, such businesses also have obligations to secure the content they broadcast. Thus, large businesses need systems that offer a way to authorize client reception for the entire duration of a multicast group subscription.